Opened 2 years ago

Last modified 10 months ago

#684 new Bug / Defect

improper process termination

Reported by: petrerodan Owned by:
Priority: major Milestone: release 2.3.14
Component: Generic / unclassified Version: OpenVPN 2.3.10 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


sometimes parent does not wait() for child processes once it receives SIGTERM. I'm sending this signal for the process to start fresh and load a new configuration. having this process hang is a major problem in my setup.

steps to reproduce (does not happen in 80% of cases):

# killall openvpn

# ps axww | grep openvpn
3524 ? S 0:00 supervise openvpn_tcp

19122 ? Sl 0:01 /usr/sbin/openvpn --config /etc/openvpn/openvpn-tcp.conf --syslog
19125 ? Z 0:00 [openvpn] <defunct>
19126 ? Z 0:04 [openvpn] <defunct>

openvpn should completely terminate at this point. instead the master process is still doing a read() from a dead child:

# strace -f -s1000 -p 19122

Process 19122 attached with 2 threads
[pid 19562] futex(0x80e988160dc, FUTEX_WAIT_PRIVATE, 37, NULL <unfinished ...>
[pid 19122] read(7,

# ls -al /proc/19122/fd/7

lrwx------ 1 root root 64 May 17 09:53 /proc/19122/fd/7 -> socket:[1465476]

# lsof | grep 1465476

openvpn 19122 openvpn 7u unix 0x0000000000000000 0t0 1465476 P0 type=DGRAM
openvpn 19122 19562 openvpn 7u unix 0x0000000000000000 0t0 1465476 P0 type=DGRAM

# ps axjf
3513 3524 3493 3493 ? -1 S 0 0:00 | \_ supervise openvpn_tcp
3524 19122 3493 3493 ? -1 Sl 108 0:01 | | \_ /usr/sbin/openvpn --config /etc/openvpn/openvpn-tcp.conf --syslog

19122 19125 3493 3493 ? -1 Z 0 0:00 | | \_ [openvpn] <defunct>
19122 19126 3493 3493 ? -1 Z 0 0:04 | | \_ [openvpn] <defunct>


# emerge --info

Portage 2.2.28 (python 2.7.10-final-0, hardened/linux/amd64/no-multilib, gcc-4.9.3, glibc-2.22-r4, 4.4.8-grsec-i010 x86_64)
System uname: Linux-4.4.8-grsec-i010-x86_64-Intel-R-_Core-TM-_i3-2100_CPU_@_3.10GHz-with-gentoo-2.2
KiB Mem: 1015728 total, 160540 free
KiB Swap: 524284 total, 523360 free
Timestamp of repository gentoo: Tue, 17 May 2016 05:30:01 +0000

# openvpn --version

OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 5 2016
library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=no enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir=usr/lib64/openvpn with_sysroot=no

./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --libdir=/usr/lib64 --docdir=/usr/share/doc/openvpn-2.3.10-r1 --with-plugindir=usr/lib64/openvpn --enable-ssl --enable-crypto --enable-lzo --disable-pkcs11 --enable-plugins --enable-iproute2 --disable-socks --disable-plugin-auth-pam --disable-plugin-down-root --disable-systemd

the openvpn configuration does use an external radius plugin.

Attachments (2)

openvpn.log.bz2 (40.6 KB) - added by petrerodan 2 years ago.
verb=11 log
openvpn.conf (910 bytes) - added by petrerodan 20 months ago.
openvpn configuration (ips and ports are made up)

Download all attachments as: .zip

Change History (8)

comment:1 Changed 2 years ago by Gert Döring

Can you add an openvpn log that shows what it's doing when receiving the SIGTERM?

comment:2 Changed 2 years ago by petrerodan

what verbosity level would you prefer?

Changed 2 years ago by petrerodan

Attachment: openvpn.log.bz2 added

verb=11 log

comment:3 Changed 2 years ago by petrerodan

I switched to version 2.3.11 and the bug was replicated quite easily. the attached log was for an openvpn server that had verb=11. at the end of the log the daemon received a SIGTERM and it's two childs entered the defunct state described above.

comment:4 Changed 21 months ago by Gert Döring

Milestone: release 2.3.14

comment:5 Changed 20 months ago by mandree

Can you provide your configuration, with private/identifying data masked?

Changed 20 months ago by petrerodan

Attachment: openvpn.conf added

openvpn configuration (ips and ports are made up)

comment:6 Changed 10 months ago by David Sommerseth

I wonder if this is related to the radius plug-in. Can you try this on an openvpn config not using the plug-in?

Note: See TracTickets for help on using tickets.